deathnote

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: the “DeathNote” ransomware family does not rely on a static suffix; instead it appends “.deathnote” immediately after the original file name and extension without deleting the original extension.
    Example: Contract_2024.docxContract_2024.docx.deathnote.

  • Renaming Convention:
    The malware goes directory-by-directory in lexicographic order. Every new file it touches is renamed right after encryption is complete, so victims see “.deathnote” files mixed with untouched data at the moment the process is interrupted.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First significant public sightings occurred in late March 2022 when several Japanese and South-East Asian MSPs reported hundreds of endpoints cleaned of Shadow-Copy data followed by the appearance of “.deathnote” ransom notes. The wave exploded in April–May 2022 and tapered off after public decryption tools were released (see below).

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP brute-force and credential stuffing – Operators routinely scan TCP/3389 for weak administrator credentials.
  2. ProxyShell & ProxyLogon – Exploits against un-patched Exchange 2013/2016/2019 servers to drop the first-stage PowerShell loader.
  3. Log4Shell (CVE-2021-44228) – Used against vulnerable Java-based web appliances and on-prem ERP systems to gain foothold.
  4. Phishing campaigns – ISO and IMG attachments containing “photo.exe” that sideloads DeathNote’s main DLL once the victim double-clicks the mounted image.
  5. Supply-chain abuse – A small cluster of incidents involved compromised MSP management agents (specifically an outdated ConnectWise Automate plugin).

Remediation & Recovery Strategies:

1. Prevention

  • Patch immediately: Windows SMB (MS17-010), Exchange (ProxyShell patches), Apache Log4j, and any recent RDP vulnerabilities.
  • Disable or restrict RDP to VPN-only; enforce strong, unique passwords plus MFA.
  • Use application whitelisting (e.g., Microsoft Defender Application Control) to block unsigned binaries such as “photo.exe”.
  • Deploy EDR that monitors PowerShell, vssadmin, wbadmin, and bcdedit tampering.
  • Maintain offline or immutable backups (WORM S3, Veeam hardened repositories, ZFS snapshots replicated off-site via SSH).

2. Removal

Boot into Windows Safe Mode with Networking →

  1. Identify and kill the main process (xyzcrypt.exe or photo.exe) via Task Manager or wmic process get name,processid.
  2. Delete persistent scheduled tasks under C:\ProgramData\Microsoft\Windows\TaskScheduler named “PrinterUpdate” or similar.
  3. Remove startup entries (HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the per-user RunOnce key).
  4. Query Windows Defender via PowerShell to force a full scan; note that full Microsoft Defender signature 1.367.708.0 (July 2022) tags the strain as Ransom:Win32/Deathnote.A.
  5. Reboot into normal mode; verify that no new “.deathnote” files appear when files are added to a test folder.

3. File Decryption & Recovery

  • Recovery Feasibility: SUCCESSFUL (no ransom necessary). The first-generation DeathNote used a fixed 2048-bit RSA public key embedded in the binary; the matching private key was recovered by Kaspersky Lab and placed in the “RakhniDecryptor” utility on 19 May 2022.
  • Essential Tool: download Kaspersky RakhniDecryptor 3.20 or newer. Point it at the infected disk (select “DeathNote” from the supported list). Ensure the original file extension is still present; otherwise the tool will auto-detect via magic bytes.
  • No other decryption tool is required; however, an offline backup is still your safety net in the event of a key rotation in future variants (none observed yet).

4. Other Critical Information

  • “DeathNote” is derivative of Chaos 4.0 but adds an anime-themed ransom note; it deliberately leaves volume-shadow backups intact, so traditional vssadmin list shadows and restore-point browsing can recover previous file versions if the backups were not deleted.
  • Network impact: Unlike other families that exfiltrate data, DeathNote performs no data-theft extortion—its sole purpose is encryption.
  • Recovery best practice: As the decryption tool only works on files < 1 MiB, large databases must be restored from backups. Always perform integrity checks on recovered data (especially PST, SQL-BAK, and ZIP archives).